What Is a Passkey and How Do Passkeys Work?
There’s been a lot of buzz about a passwordless future lately, and it can’t come soon enough. Currently, cybercriminals have access to billions of compromised credentials on the dark web. And at this point, it’s safe to say that few of us haven’t had our passwords stolen in one data breach or another.
To solve this problem, the cybersecurity industry is making steady inroads toward passwordless authentication. Among those leading the charge is the FIDO (“Fast IDentity Online”) Alliance, which has been working on developing passwordless authentication standards. More recently, Apple announced its own passwordless authentication using passkeys, with Google not far behind.
Digital Shadows researchers have found 6.7 billion unique logins—combinations of usernames and passwords—on the dark web. This treasure trove of logins puts a lot of consumers at risk, especially considering how many people reuse their passwords. That’s why adopting passkey-based authentication is likely to become a fast-growing trend.
Let’s dive into what a passkey is and how it’s different from a password.
Want to learn more about using Dashlane Password Manager at home or at work?
What is a passkey?
Simply put, a passkey is a passwordless login. This new standard uses public-key cryptography to authenticate your access to websites and apps. Instead of you having to create a password for your account, you enable an “authenticator” to generate a passkey—a pair of related cryptographic keys. The authenticator can be your smartphone, another mobile device, or a password manager that supports passkeys.
The authenticator still requires some form of user verification. This could be through entering a master password or biometrics (Face ID or Touch ID), which adds both security and convenience. With biometric identification, you don’t have to remember a password for your authenticator. Biometrics are also more secure and convenient for users than entering a device or app password.
Your passkeys are stored securely in a vault, such as your device’s keychain or your password manager. Since they can sync across devices, they’re seamless and convenient to use, and the overall user experience with passkeys is an improvement over passwords.
How do passkeys work?
When using passkeys, you don’t have to share a “secret”— in this case, a password or security question—in order to access your accounts. Instead, in order for passkeys to work, an authenticator, such as a password manager that supports passkeys or a mobile device, generates two cryptographic keys for each account you create. One key is public and stored on the site where you’re creating the account; the other is private and stored in your authenticator.
Next time you go to sign in, your authenticator and the website then communicate to authenticate your login without exchanging any actual secrets that a hacker could exploit.
Passkeys vs. passwords
In the process described above, no secrets are exchanged between the server and your authenticator. This is different from password-based authentication, where information about the secret password is exchanged to verify the password’s accuracy. And since they’re based on public-key cryptography, passkeys don’t rely on storing shared secrets on a server either.
These are just two reasons why passkeys are more secure than passwords. While no authentication method is completely foolproof, several other factors make passkeys more secure than passwords:
- They can’t be guessed or reused.
- They’re phishing-resistant. Because passkeys are unique to the app or website they’re created for, a malicious actor can’t trick you into using the passkey on a look-alike or fraudulent site.
- Since they’re only stored on your device, cybercriminals can’t steal your passkeys by hacking into the provider’s server or database.
Will passkeys replace passwords?
It will likely take a few years, but passkeys are expected to eventually replace passwords. Currently, only a few websites support passkeys, including PayPal, eBay, Microsoft, and Best Buy.
The FIDO Alliance has been working on passwordless authentication standards for some time. The most important development, however, came recently when the technology consortium announced it had proposed a method to store cryptographic keys so they can sync between devices. (In fact, FIDO calls passkeys multi-device FIDO credentials.) This paves the way for the wider adoption of passkeys.
When adoption goes mainstream, passkeys will bring a major shift in how you log in to your accounts—and a giant step toward keeping your data private.
Recently, Dashlane launched integrated passkey support, becoming the first in the industry to offer an in-browser passkey solution. This is a natural step toward further simplifying security for businesses and their people.
You’ll be able to log in across websites seamlessly with your Dashlane app, store your passkeys in Dashlane, and automatically log in to your accounts. And thanks to our patented zero-knowledge architecture, you benefit from yet another security layer because no one except you can access your logins (not even us).
Passkeys are a simpler and more secure way to log in. Learn how they work and how Dashlane streamlines access.
Sign up to receive news and updates about Dashlane
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.